Risk Management: Contingency Plans and Resilience

·

Risk management is the discipline that lets an organisation anticipate what can go wrong and decide, with judgement, what to do about it. It does not consist of eliminating uncertainty—impossible—but of turning it into informed decisions: which risks to accept, which to transfer and which to treat. The international reference framework is the ISO 31000:2018 standard, which defines principles and process, complemented by ISO 22301 for business continuity. In this guide we walk through identification, assessment, treatment and, above all, how to build a contingency plan that truly works when the incident arrives.

ISO 31000: the risk management process

ISO 31000 describes an iterative process with well-defined stages: establishing the context, identifying risks, analysing them, evaluating them, treating them, and, throughout all of this, communicating, consulting, monitoring and reviewing. The standard insists that risk management must be integrated into decision-making across the whole organisation, not left as an annual exercise isolated in the audit department.

The first step, establishing the context, defines the risk appetite: how much risk management is willing to accept in exchange for what return. Without an explicit risk appetite, the subsequent assessment lacks a reference point for deciding what is tolerable and what is not. This appetite must be approved at the highest level and communicated, because it is the criterion that aligns decisions throughout the chain of command.

Risk identification: not just the obvious ones

Identifying risks means looking beyond the obvious. The usual techniques combine structured workshops with experts, process analysis, review of historical incidents, sector checklists and scenario analysis. It is worth categorising: strategic risks (a disruptive competitor, a regulatory change), operational risks (the failure of a critical process, the loss of a sole supplier), financial risks (liquidity, exchange rate, bad debt), technological risks (cyberattack, systems outage) and compliance risks (penalties for breaching the GDPR, for example).

A recurring mistake is to stop at the risks that are comfortable to name. The most dangerous ones are usually those of low probability and high impact—the so-called black swans—and the hidden dependencies: the sole supplier whose bankruptcy halts production, or the employee whose departure takes away undocumented knowledge. The business impact analysis (BIA) is the tool that uncovers these critical dependencies.

Analysis and evaluation: the probability-and-impact matrix

Each identified risk is analysed along two dimensions: the probability that it materialises and the impact if it does. The product of the two gives an exposure that allows prioritisation. The classic instrument is the risk matrix (heat map), which crosses both axes on a coloured grid. The analysis can be qualitative (high/medium/low scales, quick but subjective) or quantitative (probabilities and losses in euros, more rigorous but data-hungry).

Here a crucial distinction comes in: the inherent risk is the exposure before any control; the residual risk is what remains after applying the existing controls. The assessment must work with the residual risk, because that is what the organisation actually faces. Confusing the two leads to over-investing in already-mitigated risks or, conversely, to believing yourself protected by controls that do not work.

Risk treatment: the four strategies

Once prioritised, risks are treated with one of four strategies. Avoid: do not carry out the activity that generates the risk (do not enter an unstable market). Reduce/mitigate: implement controls that lower the probability or the impact (system redundancy, training, segregation of duties). Transfer: hand the risk to a third party, typically through insurance or a contractual clause. Accept: take it on consciously when the cost of treating it exceeds the benefit, always with the approval of the level corresponding to the risk appetite.

The decision is neither binary nor permanent. A risk is reduced with controls and the residual is accepted; or part is transferred and the rest mitigated. What matters is that each decision is documented with its owner (risk owner) and its justification, in a live risk register that is reviewed periodically.

Contingency plans and business continuity

The contingency plan is what the organisation executes when a risk materialises despite everything. ISO 22301, the standard for business continuity management systems, structures this capability. Its two key metrics are the RTO (Recovery Time Objective), the maximum tolerable interruption time for a process, and the RPO (Recovery Point Objective), the maximum admissible data loss measured in time. An RPO of four hours implies backups at least every four hours; an RTO of one hour demands hot systems, not manual restoration from tape.

A continuity plan includes the response procedures, the roles and chain of command of the crisis committee, the alternative locations and resources, internal and external communications, and the criteria for activation and for the return to normal. But a plan that has never been tested is not a plan; it is a document. The tests—from the tabletop exercise to the full failover drill—are what reveal that the contact phone number is out of date or that the backup could not be restored.

Key risk indicators and continuous monitoring

A risk that is assessed and filed away is a risk that surprises you again. Mature management defines key risk indicators (KRIs): metrics that act as early signals that the exposure is growing before the event materialises. For a liquidity risk, a KRI might be the current ratio; for a talent-flight risk, the voluntary turnover rate; for a cybersecurity risk, the number of failed access attempts or the mean time to apply critical patches.

KRIs differ from KPIs in their orientation: the KPI measures past performance, the KRI anticipates future problems. Each KRI is assigned an alert threshold that, when crossed, triggers a review of the associated risk and, where appropriate, an action. This continuous monitoring is what ISO 31000 means by integrating risk management into daily operations, instead of relegating it to an annual review disconnected from real decisions.

The effectiveness of KRIs depends on them being measurable with available data, relevant to the specific risk and reviewed periodically so they remain meaningful. A risk dashboard that aggregates the critical KRIs gives management a near-real-time view of the health of its risk profile, far removed from the static report that is looked at once a year.

Risk culture: the factor that does not appear in the register

No methodology survives a culture that shoots the messenger. If reporting a risk or a near miss is perceived as admitting failure, problems are hidden until they blow up. Risk culture is the set of values and behaviours that determine how uncertainty is handled day to day, and it is as decisive as any matrix or procedure. An organisation with a healthy risk culture encourages early reporting, analyses mistakes without hunting for culprits and understands that taking calculated risks is part of doing business.

The tone is set by management. When leaders actively ask to know the risks, reward transparency and take decisions consistent with the declared appetite, the rest of the organisation internalises that risk management is something that helps, not bureaucratic red tape. The three lines of defence—the operational managers who take the risk, the control functions that oversee it and the internal audit that provides independent assurance—only work if that culture sustains them. Without it, the best framework becomes a dead letter the day it really matters.

Table: risk treatment strategies

StrategyActionWhen to apply itExample
AvoidEliminate the activityIntolerable and dispensable riskDo not operate in a sanctioned area
ReducePreventive controlsHigh risk but the activity is necessaryServer redundancy
TransferInsurance or contractHigh impact, low frequencyCyber insurance, SLA clause
AcceptTake on the residualCost of treating > benefitMinor risk within the appetite

Common mistakes in risk management

The first is treating the risk register as a compliance document that is updated once a year and that no one consults to decide. The second is assessing the inherent risk and ignoring the residual, or the reverse, assuming the controls work without verifying it. The third is a continuity plan with no tests: the first time it is run is during the real crisis. The fourth is not assigning a risk owner, so that the risk belongs to everyone and therefore to no one. The fifth is confusing probability with historical frequency and underestimating rare, high-impact events that have not happened yet.

Frequently asked questions

How do RTO and RPO differ? The RTO measures how long a process can be down before causing unacceptable harm; the RPO measures how much data you can afford to lose. The first sizes the speed of recovery; the second, the frequency of the backups.

Is inherent risk the same as residual risk? No. The inherent risk is the exposure without controls; the residual is what remains after applying them. Treatment decisions are made on the residual, which is the real risk the organisation faces.

Do I need to be certified to ISO 31000? ISO 31000 offers guidelines and is not certifiable. ISO 22301 for business continuity is certifiable and is often required in contracts with critical clients or in regulated sectors.

How often is the risk register reviewed? Continuously for critical risks and, as a minimum, in formal periodic reviews (quarterly or half-yearly) and always after relevant changes in the context or after incidents.

Conclusion

Business resilience is not a matter of luck or size, but of method: an explicit risk appetite, a live register where each risk has an owner and a strategy, an honest assessment of the residual risk and contingency plans tested before you need them. The difference between the organisations that survive a crisis and those that do not is rarely the severity of the event; it lies in whether the RTO and RPO were defined realistically, in whether the backup was ever restored in a drill and in whether the crisis committee knew who to call. ISO 31000 and ISO 22301 provide the structure; the discipline of testing and reviewing delivers the results. At Summum Marketing we help companies build that system and subject it to the tests that separate the real plan from the decorative document.